TNC Server with PTS-IMV » History » Version 3
Version 2 (Andreas Steffen, 30.11.2011 11:13) → Version 3/57 (Andreas Steffen, 30.11.2011 11:48)
h1. TNC Server with PTS-IMV
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap --enable-eap-identity --enable-eap-md5 --enable-eap-ttls
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The /etc/ipsec.conf file defines a remote access template:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
/* TODO */
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Nov 29 07:39:15 moon charon: 00[KNL] eth0
Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Nov 29 07:39:15 moon charon: 00[KNL] eth1
Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
IMV IMC configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server:
<pre>
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem'
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/local/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials and all necessary plugins are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>
This HOWTO explains in a step-for-step fashion how a strongSwan IPsec gateway with integrated TNC server functionality and an attached Platform Trust Service Integrity Measurement Verifier (PTS-IMV) can verify remote attestation measurement data provided by a TNC client via the IKEv2 EAP-TTLS protocol.
{{>toc}}
h2. Installation and Configuration
The following steps describe the installation of the strongSwan software
<pre>
wget http://download.strongswan.org/strongswan-4.6.2dr1.tar.bz2
tar xjf strongswan-4.6.2dr1.tar.bz2
cd strongswan-4.6.2dr1
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-curl
--enable-eap --enable-eap-identity --enable-eap-md5 --enable-eap-ttls
--enable-eap-tnc --enable-tnccs-20 --enable-tnc-imv --enable-imv-attestation
make
[sudo] make install
</pre>
The /etc/ipsec.conf file defines a remote access template:
<pre>
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
/* TODO */
</pre>
h2. IKEv2 Negotiation
h3. Startup and Initialization
The command
<pre>
ipsec start
</pre>
starts the TNC-enabled IPsec gateway:
<pre>
Nov 29 07:39:14 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.2dr1)
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[KNL] listening on interfaces:
Nov 29 07:39:15 moon charon: 00[KNL] eth0
Nov 29 07:39:15 moon charon: 00[KNL] 192.168.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec0::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:c0ff:fea8:1
Nov 29 07:39:15 moon charon: 00[KNL] eth1
Nov 29 07:39:15 moon charon: 00[KNL] 10.1.0.1
Nov 29 07:39:15 moon charon: 00[KNL] fec1::1
Nov 29 07:39:15 moon charon: 00[KNL] fe80::fcfd:aff:fe01:1
</pre>
The file /etc/tnc_config
<pre>
IMV IMC configuration file for strongSwan client
IMV "Attestation" /usr/lib/ipsec/imcvs/imv-attestation.so
</pre>
defines which IMVs are loaded by the TNC server:
<pre>
Nov 29 07:39:15 moon charon: 00[TNC] TNC recommendation policy is 'default'
Nov 29 07:39:15 moon charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[sha1] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS measurement algorithm HASH_SHA256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS measurement algorithm HASH_SHA384[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_2048[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1536[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group MODP_1024[gmp] available
Nov 29 07:39:15 moon charon: 00[PTS] mandatory PTS DH group ECP_256[openssl] available
Nov 29 07:39:15 moon charon: 00[PTS] optional PTS DH group ECP_384[openssl] available
Nov 29 07:39:15 moon charon: 00[TNC] added IETF attributes
Nov 29 07:39:15 moon charon: 00[TNC] added ITA-HSR attributes
Nov 29 07:39:15 moon charon: 00[LIB] libimcv initialized
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" initialized
Nov 29 07:39:15 moon charon: 00[TNC] added TCG attributes
Nov 29 07:39:15 moon charon: 00[PTS] added TCG functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component namespace
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
Nov 29 07:39:15 moon charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
Nov 29 07:39:15 moon charon: 00[LIB] libpts initialized
Nov 29 07:39:15 moon charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Root Certificate" from '/etc/pts/cacerts/privacy_ca_root.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA Insecure/Unchecked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_0.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_1.pem'
Nov 29 07:39:15 moon charon: 00[PTS] loaded ca certificate "O=privacyca.com, CN=Privacy CA EK+Platform-Cert-Checked AIK Certificate" from '/etc/pts/cacerts/privacy_ca_level_2.pem'
Nov 29 07:39:15 moon charon: 00[IMV] IMV 1 "Attestation" provided with bind function
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 supports 1 message type: 0x00559701
Nov 29 07:39:15 moon charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/local/lib/ipsec/imcvs/imv-attestation.so'
</pre>
Next the IKEv2 credentials and all necessary plugins are loaded
<pre>
Nov 29 07:39:15 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 07:39:15 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 07:39:15 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 07:39:15 moon charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem'
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for carol@strongswan.org
Nov 29 07:39:15 moon charon: 00[CFG] loaded EAP secret for dave@strongswan.org
Nov 29 07:39:15 moon charon: 00[DMN] loaded plugins: curl sha1 pem pkcs1 gmp random pubkey x509 openssl revocation hmac kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 sqlite tnc-imv stroke
Nov 29 07:39:16 moon charon: 00[JOB] spawning 16 worker threads
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-allow'
Nov 29 07:39:16 moon charon: 16[CFG] received stroke: add connection 'rw-isolate'
Nov 29 07:39:16 moon charon: 16[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem'
Nov 29 07:39:16 moon charon: 16[CFG] added configuration 'rw-isolate'
</pre>